[svlug] bind vulnerability

[Rick Moen]

Thanks, Brian.

OK, let's assume a user is running Red Hat and prefers not to compile
from source.  If you don't remember where the update packages are, go to
http://www.redhat.com/, for lack of a better starting point.  Pick the
"Support" link.  Pick "Updates and Errata".  Pick "All Red Hat Linux
Errata".  You see links for the various numbered Red Hat releases.

Let's say the user is running RH 6.1 for x86 (as Gordon is[1]).  So, hit
the "Version 6.1" link.  Sheesh, what a screw-up!  The only BIND update
they have is dated 2000-11-27.  Wow, _that's_ pretty stunningly useless.

So, if the user has been following RH news at all, he'll know that 6.1
and 6.2 are awfully close, so he might as well look on the 6.2 update
page.  Back up.  Go to "Security Advisories" for 6.2.  Ah, there's a
"bind (RHSA-2001-007)" package, dated 2001-01-29.  

Says it fixes mumblety-mumble security problems, which they don't bother
to actually identify.  But they link to bug-database entry #25186, which
is marked as a duplicate and cross-references to #25209.  The question
is, does it specifically fix the TSIG and Infoleaf bugs, found in
January?  Unfortunately, the bug-database entry is a bit vague, but it
seems very likely.

So, pull down the "bind (RHSA-2001-007)" package, and see if you meet
its dependencies.  (The RH page is woefully uninformative, on the latter
point.)  Good luck getting ftp connections to updates.redhat.com!
You're better off finding a mirror.  You might want to grab the
bind-utils update package, at the same time.

I hope this helps.  Similar drills apply for other distributions' binary
update packages.

[1] Gordon, please think hard about rebuilding your machine(s) using 6.2.

-- 
Cheers,                                      Right to keep and bear
Rick Moen                                  Haiku shall not be abridged
rick at linuxmafia.com                           Or denied.  So there.